studio/docs
Archived
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

(back) install and configure django csp (#1085)

Browse Source 
We want to protect all requests from django with content security
policy header. We use the djang-csp library and configure it with
default values.

Fixes #1000
This commit is contained in:
Manuel Raynaud
2025-06-30 10:42:48 +02:00
committed by GitHub
parent 4ae757ce93
commit dfdfe83db5
6 changed files with 196 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/backend/core/api/viewsets.py
View File

@@ -25,6 +25,8 @@ from django.utils.translation import gettext_lazy as _
import requests
import rest_framework as drf
from botocore.exceptions import ClientError
from csp.constants import NONE
from csp.decorators import csp_update
from lasuite.malware_detection import malware_detection
from rest_framework import filters, status, viewsets
from rest_framework import response as drf_response
@@ -1412,6 +1414,7 @@ class DocumentViewSet(
name="",
url_path="cors-proxy",
)
@csp_update({"img-src": [NONE, "data:"]})
def cors_proxy(self, request, *args, **kwargs):
"""
GET /api/v1.0/documents/<resource_id>/cors-proxy
@@ -1452,7 +1455,6 @@ class DocumentViewSet(
content_type=content_type,
headers={
"Content-Disposition": "attachment;",
"Content-Security-Policy": "default-src 'none'; img-src 'none' data:;",
},
status=response.status_code,
)

46
src/backend/core/tests/documents/test_api_documents_cors_proxy.py
View File

@@ -23,10 +23,25 @@ def test_api_docs_cors_proxy_valid_url():
assert response.status_code == 200
assert response.headers["Content-Type"] == "image/png"
assert response.headers["Content-Disposition"] == "attachment;"
assert (
response.headers["Content-Security-Policy"]
== "default-src 'none'; img-src 'none' data:;"
)
policy_list = sorted(response.headers["Content-Security-Policy"].split("; "))
assert policy_list == [
"base-uri 'none'",
"child-src 'none'",
"connect-src 'none'",
"default-src 'none'",
"font-src 'none'",
"form-action 'none'",
"frame-ancestors 'none'",
"frame-src 'none'",
"img-src 'none' data:",
"manifest-src 'none'",
"media-src 'none'",
"object-src 'none'",
"prefetch-src 'none'",
"script-src 'none'",
"style-src 'none'",
"worker-src 'none'",
]
assert response.streaming_content
@@ -77,10 +92,25 @@ def test_api_docs_cors_proxy_authenticated_user_accessing_protected_doc():
assert response.status_code == 200
assert response.headers["Content-Type"] == "image/png"
assert response.headers["Content-Disposition"] == "attachment;"
assert (
response.headers["Content-Security-Policy"]
== "default-src 'none'; img-src 'none' data:;"
)
policy_list = sorted(response.headers["Content-Security-Policy"].split("; "))
assert policy_list == [
"base-uri 'none'",
"child-src 'none'",
"connect-src 'none'",
"default-src 'none'",
"font-src 'none'",
"form-action 'none'",
"frame-ancestors 'none'",
"frame-src 'none'",
"img-src 'none' data:",
"manifest-src 'none'",
"media-src 'none'",
"object-src 'none'",
"prefetch-src 'none'",
"script-src 'none'",
"style-src 'none'",
"worker-src 'none'",
]
assert response.streaming_content

19
src/backend/core/tests/test_api_config.py
View File

@@ -62,6 +62,25 @@ def test_api_config(is_authenticated):
"AI_FEATURE_ENABLED": False,
"theme_customization": {},
}
policy_list = sorted(response.headers["Content-Security-Policy"].split("; "))
assert policy_list == [
"base-uri 'none'",
"child-src 'none'",
"connect-src 'none'",
"default-src 'none'",
"font-src 'none'",
"form-action 'none'",
"frame-ancestors 'none'",
"frame-src 'none'",
"img-src 'none'",
"manifest-src 'none'",
"media-src 'none'",
"object-src 'none'",
"prefetch-src 'none'",
"script-src 'none'",
"style-src 'none'",
"worker-src 'none'",
]
@override_settings(